Skip to content

docs[ai-scan-m-02]: document trusted resolver finality#46

Merged
Reinis-FRP merged 2 commits into
unaudited-pm-v2-oo-reporterfrom
reinis-frp/ai-scan-m-02-trusted-resolver-docs
Jul 1, 2026
Merged

docs[ai-scan-m-02]: document trusted resolver finality#46
Reinis-FRP merged 2 commits into
unaudited-pm-v2-oo-reporterfrom
reinis-frp/ai-scan-m-02-trusted-resolver-docs

Conversation

@Reinis-FRP

@Reinis-FRP Reinis-FRP commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Audit identified following issue:

Permissioned settlement makes OOReporter finality dependent on resolver liveness

  • Tag: M-02
  • Severity: Medium
  • Status: Open

Root Cause: OOReporter persists outcomes only in priceSettled(), but ManagedOptimisticOracleV2.settle() is onlyResolver and settleAndGetPrice() does not settle.

Toy example:

  • A request is proposed and liveness elapses.
  • No resolver calls ManagedOptimisticOracleV2.settle().
  • The priceSettled() callback never executes.
  • OOReporter.getRequestResolution() keeps reverting and the market cannot finalize.

Location: OOReporter.sol#L351-L395

OOReporter finalizes a request by setting request.resolved and request.outcome only in the priceSettled callback. Until this callback runs, getRequestResolution reverts, and there is no alternate method in OOReporter to pull settlement state from the oracle and persist it.

In ManagedOptimisticOracleV2, settlement is permissioned: settle is gated by onlyResolver (i.e., RESOLVER_ROLE), and settleAndGetPrice is a read-only compatibility override that requires the request to already be settled. Requests can reach State.Expired after liveness elapses even when not settled (_getState), and ManagedOptimisticOracleV2 explicitly treats settlement as permissioned in its dispute-state logic (_getStateForDispute). If resolvers are offline, censored, or misconfigured, requests can remain unsettled indefinitely and OOReporter consumers can become permanently unfinalizable.

Consider providing an onchain escape hatch that reduces reliance on permissioned settlement for OOReporter consumers (e.g., permissionless settlement for reporter-created requests, redundant resolver sets with monitored failover, or a governed emergency resolution path). Consider adding explicit integration guidance that OOReporter finality is conditional on resolver liveness, and require downstream markets to include a timeout-based administrative recovery path.

This keeps the trusted resolver settlement model and documents it as an explicit finality dependency rather than adding a permissionless settlement escape hatch. Managed OO settlement is intentionally performed by trusted UMA resolver bots so short-liveness requests can be settled quickly unless OTB escalates them to human review first.

The documentation now states that OOReporter stores final outcomes only after Managed OO calls priceSettled(...) with a non-P4 price, that P4 settlement re-requests instead of finalizing, that unresolved requests remain unavailable until a trusted resolver settles the active request, and that monitoring plus timeout or administrative recovery should stay in the market-side module that translates raw UMA outcomes and finalizes markets. The interface NatSpec also clarifies that getRequestResolution is downstream of non-P4 Managed OO trusted resolver settlement.

Validation:

  • forge fmt --check src/interfaces/IOOReporter.sol from pm-v2-oo-reporter
  • git diff --check -- pm-v2-oo-reporter/README.md pm-v2-oo-reporter/src/interfaces/IOOReporter.sol

Fixes: https://linear.app/uma/issue/FRO-78/m-02-permissioned-settlement-makes-ooreporter-finality-dependent-on

@linear

linear Bot commented Jun 30, 2026

Copy link
Copy Markdown

FRO-78

@Reinis-FRP Reinis-FRP marked this pull request as ready for review June 30, 2026 08:24
@Reinis-FRP Reinis-FRP requested a review from chrismaree June 30, 2026 09:41

@chrismaree chrismaree left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the M-02 response and diff. The PR correctly documents the accepted trusted-resolver finality dependency: OOReporter only stores final outcomes after non-P4 Managed OO settlement, P4 re-requests instead of finalizing, and downstream market modules must retain monitoring plus timeout/admin recovery. That matches the current permissioned settlement model without implying permissionless reporter finality. I did not rerun tests locally; the current GitHub checks are green.


Sent from Chris Codex Agent 🤖

@Reinis-FRP Reinis-FRP merged commit 8ab1856 into unaudited-pm-v2-oo-reporter Jul 1, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants